What is the simplest (setup wise) solution for a webservice client?
I need to make a lightweight app that will connect to and perform actions against a specific webservice server.
The main requirement is there request and response will be SOAP, there will be no libraries that need to be installed for this to run.
It may be implemented in any language and should run on Windows only.
A webservice can get called using javascript, from an HTML page. Put it online, and provide the people with the URL, should be simple enough. Assuming people know you can enter a URL in a browser.
Related
Ok, so I'm struggling a little bit with trying to get a authentication process in my ASP.NET MVC5 (Web API 2) project. To start, here are some requirements:
I can't use Entity Framework (all access to the DB needs to be done through stored procedures)
Needs to target .NET Framework 4.5.2
I am not using ASP.NET Core
I would like to be able to use Bearer (or similar) tokens for authentication
I would like to invalidate tokens if a user logs out or automatically invalidate them after 24 hours
I would like to pass (and receive) XML when sending requests to the "login" (or "token") endpoint (note that ideally the solution should respect the "Content-Type" and "Accepts" headers, so if I send it JSON it should respond in JSON, and if I send it XML it should respond in XML)
I will not be using external providers (e.g. Google) anytime soon (maybe never)
I would like to use the <Authorize> attributes to help with protecting other endpoints
I am using VB.NET, although answers to this question can be in C# (I can convert them or rewrite them to suit)
I would like to store the tokens in the database so I can record which user is doing what within the API
(note that there are lots of reasons why I can't change the above)
I've tried to do this with Owin (OAuth) but I've found the following issues when comparing this to the requirements:
I can't seem to send the token endpoint any XML
Responses from the authentication endpoints (both successful and unsuccessful) are in JSON
I can't invalidate the tokens when logging out
I am happy to move away from OAuth if that is the best way to go for what I want. I would prefer to use Microsoft built nuget packages (ie no third party solutions) or I'm happy to partially roll my own solution (I would like to leverage as much of in-built or Microsoft built code, including Identity and Claims as possible so I can minimise testing efforts).
I have read numerous StackOverflow questions about this and search heaps on the internet, but most articles stick with OAuth despite the above issues or they rely on EntityFramework. My current solution uses the code from here (pretty much copy/pasted with some custom code in ApplicationOAuthProvider.GrantResourceOwnerCredentials()): https://www.codeproject.com/Articles/1187872/Token-Based-Authentication-for-Web-API-where-Legac
Thanks for the help!
I did some more extensive research and it looks like OAuth is not applicable for my specific situation. Although it seems like a nice authentication method, I really need to invalidate tokens via the DB, and I need the API to always send/receive XML (these are apparently not applicable when using OAuth).
To solve these problems, I have rolled my own token-based solution that creates a hashed token on the client side, so I never send passwords over the wire (which is a little bit nicer) because the token is generated on the client side (note that I am controlling what happens on the client side - these are all in house clients and I am writing the libraries these clients will use). This involved me creating my own filter which inherits System.Web.Http.AuthorizeAttribute.
If anyone stumbles across this question and provides a really good answer, I'm more than happy to mark theirs as accepted.
I'm new to IBM BPM and am trying to put together a process that sends a POST request to a RESTful web service using teamworks.HttpClient.
I am able to POST via Chrome's Advanced REST Client, so I know the server and service are accessible from my system.
When I try to do this via teamworks.HttpClient in Process Designer I get HTTP Status 405. I've only ever seen that when I screwed up and specified GET.
I have written Ajax calls in JavaScript to access this service. I have had to specify POST in the Ajax calls.
Is teamworks.HttpClient configured to be a GET or POST by default? If it does GET, how can I tell it to do a POST?
If I understood correctly what you did, your assumption is correct: teamworks.HttpClient fires a HTTP GET by default. As far as I know, there is no way of configuring it to send a POST request.
I would recommend writing your own Java Integration Service with a more capable web client, this will be really handy for the future anyways:
http://www.ibm.com/developerworks/bpm/bpmjournal/1404_boyer/1404_boyer.html
This resource includes writing your own REST Server, but at the bottom there is also a chapter about implementing a REST Client as a Java Integration Service.
How to work when internet connection down in a asp.net application ?
Means Users are working on application and suddenly internet connection down then user should still be able to add/edit/ delete operation on data, but when internet connection is up then
all changes should be done at server. Is that possible, Is there any example available to achieve this?
Thanks.
HTML5 has some offline capabilities. http://www.html5rocks.com/en/features/offline
But do you really have a business case for this? It will get complicated when you need to try and update stale data etc.
This requires use of JavaScript to store local data http://code.msdn.microsoft.com/Working-with-HTML5-local-b0cbe2ef and it needs to check whether the server can be reached before doing a proper postback, or more likely just use AJAX to communicate between the JavaScript application and the server.
There are several applications like this such as Google Mail, and such solutions are more JavaScript based than ASP.NET and you need to avoid relying on the web forms mechanisms and use .NET for building the initial page, dealing with AJAX requests and managing the application data and persistence. See How to write an offline version of an AJAX/ASP.NET web application
excuse me if i will sound little stupid but this thing had confused me to the core and i have been searching like crazy on net with no ultimate answer so i hope some one would shed more light on this matter.
now i wanna create a portal site and my client require that everything should be AJAX'ed so i have been playing with ASP.NET AJAX 4 and client site templating and web service, and of course the performance is great with JASON results, but my web Service code will be Public because anything available to JAVA script is available to anyone so as i read to avoid this i must :
use SSL but this is a portal site and front end should not use SSL
Authentication, will this is fine but for back-end and not front-end as login is not required.
after reading a lot as i have mentioned, i have come to the following pitfalls when using web service with AJAX and hope there is a solution or at least a way to bring more security
DOS:
i have read some articles that suggest you should throttle using IP detection and block this request for a while but here are some of the things i am worried about
will it affect search engine crawlers ?
will the hacker be able to bypass this by using proxy or other mean ?
Session HighJacking:
this is scary i still don't know how this can happen when you are using ASP.NET membership, i thought it is a pretty solid membership system!
and will a hacker be able to steal someones pass through this method?
a way to hide your code or encrypt it:
i think i am making a fool of myself here because i have mentioned that if it is public to java script then it is public to anyone, but my client would not want people to see the code writing logic and function.
Hide Webserivce:
like if you use fiddler you can see in the RAW data the path to for example www.mysite.com/toparticles/getTopArticles(10) again this scares my client and i have tried to disable WSDL and documentation in webconfig but this only blocks direct access to the file and nothing more or am i wrong! is there a way to hide the path to web service?
so all in all my top concerns is to prevent hammering any of my web services and hide my code as much as possible.
so am i to paranoid as on the front end i am going mostly to be pulling Data but again i may give user the option to save for example his widget preferences in DB, etc... and it is not gonna be through SSL thus the above security threats are valid.
i hope some one can also share his experience on this matter,
thanks in advance.
Any functionality exposed on the web is going to be, well... exposed on the web. Even if you were using pure ASP.NET with postbacks, sniffers can see the traffic and mimic the postbacks, Ajax just takes that to its logical extreme. Webservices are (for the most part) just like any other get/post system (RESTful or not).
There are some methods that you can use to secure your webservices from unauthorized access, but in truth these are the exact same things you would do to secure any other site (asp.net, traditional web, etc).
There are lots of articles all over the web about how to secure your website, and these will apply equally well to AJAX, Webservices, etc.
If you are really concerned about your webservices being publicly exposed, you can use your own custom reverse proxy to hide the services inside the customers network and only expose the proxy to the outside world. You can then secure the services so they are only accessed through the proxy and provide whatever appropriate security on the proxy you feel relevant. In this way all traffic comes through servers that you specify and is restricted (to a reasonable degree) from prying eyes. In general though I think this might be over-kill especially for a portal site.
One thing to talk with your client about is the upsell value of using webservices as a sellable product to integrators. In other words, designing the security into the webservices and using the portal only as an example of how to put it all together. A clear example of this is SharePoint, which is in truth a collection of webservices and processes and the website is really just for convenience, the power of SharePoint is in the interop of the services.
For more specific answers to your security questions, there are plenty of posts here on SO as well as the web covering each of your specific points.
We have an intranet system that schedules routine tasks. We also have Fogbugz for bug tracking. When an urgent bug comes in, we track that task in the bugtracker. However, I need to write back to both the Intranet and our CMS. I'm thinking Biztalk as the middle piece, but am not sure the best way to go about it. Database adapter? Web services?
I know I can use the CMS adapter for Microsoft CMS. I'd love to hear your experiences with Fogbugz.
I'm guessing that watching the database for changes would be the best way to do it. That way, you could post any changes you saw happen in the FogBugz database through other Biztalk adapters.
Please keep us updated with what you decide to do - I'd be interested to hear about it.
Version 6 of the FogBugz API is pretty well documented at http://www.fogcreek.com/FogBugz/docs/60/topics/advanced/API.html. The API is implemented as an ASP page that accepts GET or POST params and returns XML after a user has been authenticated.
So, we can use the HTTP Send Adapter to POST requests to the FogBugz system, either updating bug records or retrieving information. The response from the API call is basic Xml that will be returned in the response body that can be read by BizTalk as necessary.
Be aware that the HTTP Send Adapter can only POST data - it cannot use the GET verb (http://msdn.microsoft.com/en-us/library/aa561642.aspx)
Isn't FogBugz based on a SQL Server Database? Or do you use a hosted alternative?
If it's using a SQL Server you're controlling I'd just tie up two send ports to the process that read and handles the "FixBugMessage". One send port that uses the CMS Adapter and writes to the CMS and another that just uses the SQL Adapter and via an Stored Procedure writes to the FogBugz database.